“When you need something to be true, you will look for patterns; you connect the dots like the stars of a constellation. Your brain abhors disorder. You see faces in clouds and demons in bonfires. Those who claim the powers of divination hijack these natural human tendencies. They know they can depend on you to use subjective validation in the moment and confirmation bias afterward.”

Author: David McRaney

This article is about the DNC breach and its attribution to the Russian government. But first, imagine that the DNC breach wasn’t a network breach but a shooting (no one was injured). No one knows who the shooter was but he left behind his weapon, a Kalishnikov AKM.

The unknown shooter used a Russian-made weapon. Does that mean that the shooter is Russian? Or that the shooter works for the company, Kalishnikov Concern? Or even more likely in the crazy world of cyber investigations, that the designer of the AKM is also the shooter?

Police would certainly explore the possibility that the shooter may have been Russian but they wouldn’t exclude other suspects. And no investigator in his right mind would arrest the CEO of Remington Arms, Sig Sauer, Kalishnikov Concern or any other arms manufacturer because a gun they made was used in a crime.

In the physical world of crime investigation, common sense dictates that the perpetrator of a crime may use any weapon and not just one made in the country of his birth, and that the developer or manufacturer of the weapon most likely isn’t the criminal.

And yet, those seemingly crazy assumptions are made every day by cybersecurity companies involved in incident response and threat intelligence.

The malware was written in Russian? It was a Russian who attacked you.

Chinese characters in the code? You’ve been hacked by the Peoples Liberation Army.

The DNC Breach

On June 15, 2016, CrowdStrike’s co-founder and CTO Dmitri Alperovich announced in a blog post that two Russian hacker groups were responsible for the DNC breach: Cozy Bear and Fancy Bear; and that both hacker groups worked for competing Russian intelligence services.

Other cybersecurity companies including FireEye, Kaspersky Lab, ESET, TrendMicro, Microsoft, iSight Partners, and AlienLab have made similar claims of attribution to the Russian government. The question that this article seeks to answer is, are those claims grounded in evidence or guesswork?

I chose to look at Fancy Bear (APT28 in FireEye’s ecosystem). The most comprehensive report on that threat actor was written by FireEye and released last October, 2014 so I started with that. To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:

“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)

That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.

While all of the cybersecurity companies who produced articles or reports about this group agreed that they have engaged in espionage activities, FireEye insisted both in print and in interviews that the espionage that the group engaged in was narrowly targeted and not economically motivated. Here is FireEye’s Director of Threat Intelligence Laura Galante speaking about APT28 in an October 28, 2014 ThreatPost blog:

“With the Russian group, the victim set is narrow and the type of operations occurring are distinct from intellectual property and financial data theft that the Chinese groups focus on,” Galante said. “The majority of Chinese groups go after trade secrets to help their state-owned enterprises in China. Sure there is a military and political application to a lot of the information taken by Chinese groups, but the defining feature is secrets from economic sectors.”

The victim set is narrow because the report’s authors made it narrow! In fact, it wasn’t narrowly targeted at all if you take into account the targets mentioned by other cybersecurity companies, not to mention those that FireEye deliberately excluded for being “not particularly indicative of a specific sponsor’s interests.”

For example:

A PriceWaterhouseCoopers report mentioned energy companies and web service providers as additional targets.

Regarding intellectual property theft, all of the companies including FireEye list defense trade shows and exhibitions as being frequently targeted by this group. There’s no other reason to target defense exhibitors at trade shows except economic espionage, even if it’s done by a Foreign Intelligence Service for its own nation’s benefit.

In a 2011 speech before the GRU, then-President Medvedev specifically included that mission in his overall remarks:

“The world is changing, the situation is changing, and that requires the adjustment of not only the intelligence priorities but also the procedures used to achieve our objectives.

“As a consequence, we have reorganised the entire system of military intelligence. These changes have already been made. The results of the previous period showed that the GRU is successfully coping with its challenges and that in general the military intelligence operates professionally and efficiently.

“Nevertheless, it is necessary to further increase the Directorate’s operational and information capacity, and analytical potential. You have been making progress in all of these areas. It is necessary to monitor the global military and political situation, to foresee the potential threats, which do exist, and to suggest ways to neutralise these threats.

“In general, you must keep track of new developments in the defence industry. (emphasis added)

“One of the key objectives of all Russian special services, including the military intelligence, is the fight against international terrorism. We must identify the channels for supplying weapons and funds to terrorists; we must always stay ahead of the game, thwarting the criminals’ plans, and if necessary, sharing information with our partners because the war on terror is global.”

Who Is Responsible?

The person or persons responsible are unknown, but let’s assume that CrowdStrike is correct and the responsible party are Russian hackers employed by one or more of Russia’s intelligence services. They used APT28 malware developed and maintained by a Russian lab.

Or — the DNC was breached by a Russian-speaking hacker (Guccifer 2.0?) who is not employed by the Russian intelligence services but has access to the APT28 malware.

Or — the DNC was breached by a Russian hacker who does contract work for the FSB when he isn’t running his own hacker-for-hire business for Russian oligarchs and Swiss lawyers.

Or — the DNC was breached by multiple actors including all of the above.

Attribution is hard enough without cybersecurity companies picking the evidence they need to support the conclusion that they want with threat actor models that are completely devoid of common sense. We can do better.

UPDATED 6/21/16

Here’s a perfect example of how flawed attribution by technical indicators is. Bloomberg reported that the initial attribution of the Bangladesh Central Bank cyber heist to North Korean hackers due to similarity to the malware used against Sony Pictures Entertainment in 2014, may actually be the work of Russian hackers.